Cybersecurity for Case Managers: Don’t Get Hooked - "How to Prevent Being Caught in a "Phishing" Attack

Pat Stricker, RN, MEd
Senior Vice President
TCS Healthcare Technologies

This is the third article in a series on cybersecurity related to the healthcare industry. The first two articles dealt with the incidence and impact of cybersecurity breaches and the responsibilities of each individual case manager in preventing breaches. This article will discuss the incidence and significance of "Phishing" and what you can do to make sure you are not caught in a phishing attack.

Phishing is a scam aimed at getting an online user to reveal personal or confidential information for the purpose of identity theft. There are three types of attacks:

A phishing scam typically starts with a legitimate-appearing email from a person, company or website asking the user to update personal information, such as a password, credit card, social security number or bank account number. The message looks authentic and comes from organizations a user may have accounts with. It also may include legitimate-looking company logos and formats that the company uses. In fact, it usually looks so authentic that up to 20 percent of recipients respond to them and 91 percent of data breaches start with a phishing attack. The average cost of a phishing attack is $1.8 million. In fact, the 2015 HIMSS Cybersecurity Survey of 300 top health care information professionals stated that phishing attacks are their biggest future security fear and the #1 thing that keeps Chief Information Security Officers up at night.

The Phishing Activity Trends Report shows that there were 630,404 unique phishing attacks detected from January to September, 2015. This means 36 percent of the world;s computers are infected with this type of malware. While some employees are specifically targeted because of their position or types of information they have access to, all individuals and companies should assume they are or will be targets of phishing attacks.

Phishing scams are frequently presented in the form of spam or pop-ups that are introduced through email. To make sure you are not a victim of a phishing attack, let's review some things you can do to prevent getting "hooked." Two articles, 8 Ways to Prevent "Phishing Scams" and 10 Tips to Prevent Phishing Attacks provide the following useful suggestions to help guard against phishing:

            o Are not personalized.

            o Come from unknown senders.

            o Ask you to confirm/update personal information (especially when they are urgent).

            o Threaten you with frightening information, if you do not respond.

            o Duplicate the image of a real company or are visually similar to a real business.

            o Copy the name of a company or an actual employee of the company.

            o Promote gifts, or the loss of an existing account.

            o Do not give personal information over the phone to anyone who calls you and do not call the phone number provided in an email asking you to update your information. Look up the number of the company or organization and call them to verify if the email or call is legitimate.

            o For email transactions, make sure the website is secure before giving any information.

             o Hover over the hyperlink to determine the address of the hyperlink. You should be able to tell if it is the official website address or a copy-cat. Example: www.banskfamerica.com instead of www.bankofamerica.com.

             o Always enter the company website address yourself or look up the company phone number and call to see if they are requesting the information. Legitimate businesses usually do not request personal information by email.

             o Never enter personal information through links provided in an email. Only login and enter personal information once you are sure you are on the official site.

            o Never enter personal information in a pop-up screen.
            o Do not click on links in a pop-up screen.
            o Do not copy web addresses from pop-ups into your browser.
            o Do not submit personal information into pop-up screens, since legitimate organizations do not ask you to submit information that way.
            o Enable pop-up blockers.

The weakest link in any security system is the human element and that is particularly true when it comes to phishing attacks. Employees are the biggest threat to phishing attacks, since they are the ones who initiate the action that allows the phishing scam to occur. In addition, hackers have become more creative in manipulating and influencing people, which allows them to gain access to computer systems and obtain sensitive information.

Therefore, most important aspect in preventing phishing attacks is education. Users must be aware of what to watch for and vigilant in looking for potential attacks. Regular employee training can reduce the percentage of successful phishing attacks. In addition to the regular security training, there are some free phishing tests and tools that are available to help organizations determine their phishing risk. The spear phishing awareness failure rates, for the 79 percent of companies who tested their employees, was 16 percent.

To test your employees (or to test yourself), you can use the following free phishing tools and tests to see how likely they (or you) are to fall prey to a phishing attack:

Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for "phishy" schemes. I'm sure you don't want to be the one responsible for allowing a malware, virus, or spyware to gain access to your organizations computer system, or worse yet, the one responsible for a data breach that resulted from your phishing attack.

Watch out for the "phish"!

Pat Stricker, RN, MEd, is senior vice president of Clinical Services at TCS Healthcare Technologies. She can be reached at pstricker@tcshealthcare.com.